WHAT IS CLAIMED IS: 



1 1 . A method of operating an integrated circuit with on-chip volatile 

2 program memory comprising: 

3 inputting a stream of data comprising unencrypted configuration data to 

4 the integrated circuit; 

5 encrypting the unencrypted configuration data using a security circuit of 

6 the integrated circuit and a security key stored in the integrated circuit; and 

7 outputting a stream of encrypted configuration data from the integrated 

8 circuit. 

1 2. The method of claim 1 wherein the stream of data is input serially. 

1 3. The method of claim 1 comprising: 

2 configuring the integrated circuit using the unencrypted configuration data. 

1 4. The method of claim 1 comprising: 

2 storing the stream of encrypted configuration data in a nonvolatile storage 

3 device. 

1 5 . The method of claim 4 comprising: 

2 inputting the stream of encrypted configuration data from the nonvolatile 

3 storage device to the integrated circuit; 

4 decrypting the encrypted configuration data using the security circuit of 

5 the integrated circuit and the security key; and 

6 configuring the integrated circuit with a decrypted version of the encrypted 

7 configuration data. 

1 6. The method of claim 1 wherein the stream of configuration data 

2 includes a header indicating the configuration data is unencrypted. 

1 7. The method of claim 5 wherein the stream of encrypted 

2 configuration data includes a header indicating the configuration data is encrypted. 

1 8. The method of claim 1 comprising: 

2 generating the security key using a random number generator circuit of the 

3 integrated circuit. 
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1 9. The method of claim 1 comprising: 

2 storing the security key in a device ID register of the integrated circuit. 

1 10. The method of claim 1 wherein the stream of configuration data 

2 comprises preamble, header, initial value, configuration data, and message authentication 

3 code portions. 

1 11. The method of claim 9 wherein the ID register is nonvolatile. 

1 12. The method of claim 1 wherein the unencrypted configuration data 

2 has approximately the same number of bits as the encrypted configuration data. 

1 13. The method of claim 8 further comprising: 

2 storing the security key in a device ID register of the integrated circuit. 

1 14. The method of claim 1 0 wherein information in the preamble 

2 indicates whether the configuration data of the stream is encrypted or unencrypted. 

1 15. The method of claim 10 wherein based on the preamble, the 

2 integrated circuit can determine whether the stream of data is for a previous version of the 

3 programmable gate array, without a security scheme, or the stream of data is for a version 

4 of the integrated circuit with the security scheme. 

1 16. The method of claim 1 0 wherein using the preamble, a integrated 

2 circuit with a security scheme will be backwards compatible with versions of the 

3 integrated circuit without the security scheme. 

1 17. The method of claim 1 0 comprising: 

2 when the preamble is a first value, processing the stream of data as a 

3 stream of data for a version of the integrated circuit without a security scheme; and 

4 when the preamble is a second value, different from the first value, 

5 processing the stream of data as a stream of data for a version of the integrated circuit 

6 with the security scheme. 

1 18. The method of claim 9 wherein the ID register is backed up using 

2 an external battery. 
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1 19. The method of claim 1 wherein the stream of data is loaded using a 

2 JTAG interface of the integrated circuit. 

1 20. The method of claim 1 wherein the stream of data is provided using 

2 a microprocessor. 

1 21 . The method of claim 1 comprising: 

2 receiving the stream of encrypted configuration data using a 

3 microprocessor. 

1 22. The method of claim 21 comprising: 

2 using the microprocessor, writing the encrypted configuration data into a 

3 nonvolatile storage device. 

1 23. The method of claim 4 wherein the nonvolatile storage device is a 

2 serial EPROM or serial EEPROM. 

1 24. The method of claim 4 wherein the nonvolatile storage device is a 

2 Flash memory. 

1 25. The method of claim 1 1 wherein the ID register comprises floating- 

2 gate transistors. 

1 26. The method of claim 1 1 wherein the ID register comprises fuses. 

1 27. The method of claim 1 1 wherein the ID register comprises 

2 antifuses. 

1 28. The method of claim 1 1 wherein the ID register is programmed 

2 during manufacture of the integrated circuit. 

1 29. The method of claim 28 wherein the ID register is programmed 

2 using a laser. 

1 30. The method of claim 28 wherein the ID register is programmed 

2 using a high voltage. 
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1 31. The method of claim 1 8 wherein the external battery is coupled to a 

2 first power supply terminal to the ID register, and a second power supply terminal for 

3 non-backed up circuits is not coupled to the external battery. 

1 32. The method of claim 1 wherein the security key has a fixed value 

2 and further comprising: 

3 generating an initial value for the security circuit; and 

4 outputting the initial value from of the integrated circuit. 

1 33. The method of claim 32 wherein the unencrypted configuration 

2 data is encrypted using the initial value. 

1 34. The method of claim 32 wherein the initial value is generated using 

2 a random number generator. 

1 35. The method of claim 1 wherein the security circuit encrypts the 

2 unencrypted configuration data using a triple data encryption standard in a cipher block 

3 chaining mode algorithm. 

1 36. The method of claim 1 1 wherein the device ID register is 

2 implemented using an error correcting code scheme. 

1 37. A method of operating a integrated circuit comprising: 

2 receiving first encrypted configuration data and a first security key from a 

3 network; 

4 decrypting the first encrypted configuration data to obtain unencrypted 

5 configuration data using a first security key using user programmed circuitry of the 

6 integrated circuit; and 

7 encrypting the unencrypted configuration data using a second security key 

8 and a fixed security circuit of the integrated circuit to obtain second encrypted 

9 configuration data. 

1 38. The method of claim 37 further comprising: 

2 outputting the second encrypted configuration data from the integrated 

3 circuit. 
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1 39. The method of claim 38 further comprising: 

2 storing the second encrypted configuration data in a nonvolatile storage 

3 device. 

1 40. The method of claim 39 wherein the nonvolatile storage device is a 

2 serial EPROM. 

1 41. The method of claim 3 7 wherein the second security key is stored 

2 in an ID register of the integrated circuit. 

1 42. The method of claim 37 wherein the configured user logic outputs 

2 the unencrypted configuration data to the security circuit using an on-chip 

3 interconnection. 

1 43 . The method of claim 37 further comprising: 

2 configuring the integrated circuit using the unencrypted configuration data. 

1 44. The method of claim 37 wherein the first encrypted configuration 

2 data is serially transferred to an I/O pin of the integrated circuit. 

1 45 . The method of claim 37 wherein the security circuit encrypts the 

2 unencrypted configuration data using a triple data encryption standard (DES) in a cipher 

3 block chain (CBC) mode algorithm. 

1 46. A field programmable gate array comprising: 

2 a serial interface for loading initial configuration and key information; 

3 a battery-backed on-chip memory for storing the cryptographic key; 

4 a triple-DES encryption circuit; and 

5 an interface to an external nonvolatile memory for storing encrypted 

6 configuration data. 

1 47. A method for securely configuring an FPGA comprising: 

2 loading key information into an on-chip battery-backed register; 

3 loading an initial configuration through a JTAG interface; and 

4 storing an encrypted version of the configuration in an external nonvolatile 

5 memory. 



32 



1 48. A field programmable gate array comprising: 

2 a plurality of static random access memory cells to store a configuration of 

3 user-configurable logic of the field programmable gate array; 

4 an ID register to store a security key; and 

5 a decryption circuit to receive and decrypt a stream of encrypted 

6 configuration data using the security key, and generate decrypted configuration data for 

7 configuring the static random access memory cells. 

1 49. The field programmable gate array of claim 48 further comprising: 

2 a first positive supply input pin coupled to the static random access 

3 memory cells, user-configurable logic, and decryption circuit; and 

4 a second positive supply input pin coupled to the ID register, wherein the 

5 second positive supply input is to be coupled to an external backup battery. 

1 50. The field programmable gate array of claim 49 wherein when 

2 power is removed from the first positive supply input pin, the configuration of the static 

3 random access memory cells is erased, and the security key stored in the ID register is 

4 maintained by the external backup battery. 

1 51. The field programmable gate array of claim 50 wherein the 

2 external backup battery only supplies power to the ID register. 

1 52. The field programmable gate array of claim 48 wherein the 

2 decryption circuit decrypts the stream of encrypted configuration data using a triple-DES 

3 algorithm. 

1 53 . The field programmable gate array of claim 49 further comprising: 

2 a random number generator circuit to generate the security key. 

1 54. The field programmable gate array of claim 5 1 wherein a current 

2 draw on the external backup battery is about a microamp or less. 

1 55 . The field programmable gate array of claim 5 1 wherein current 

2 draw on the external backup battery is about 1 0 microamps or less. 
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